by Tom Field

Need to comply with HIPAA, Sarbanes-Oxley, Basel II or other regulatory requirements? Trying to decipher IT security's role? Be prepared for good news and bad news. The bad news: Demonstrating regulatory compliance will put IT security efforts under heightened scrutiny. The good news: This scrutiny will force enterprises to do something they should have been doing all along: Ensure that adequate security policies and procedures are in place, monitor for any lapses in compliance, and fix any problems that arise.

"When companies look at what they need to do to comply with these regulations, it turns out that much of it is what they should have been doing anyway to make the environment more secure," says Mark Nicolett, research analyst at Gartner. "So many of the regulations aren't really demanding anything beyond well-defined and effective identity and access management policies, practices and processes, and effective monitoring functions."

Rather than see regulatory compliance as a burden, smart enterprise leaders see it as an opportunity to demonstrate that investing in IT security is more than just a cost of doing business. It can pay off by helping companies reduce financial risk, maintain customer confidence, increase trust among business partners, protect the company's reputation -- and keep the auditors happy. "If you're not ready to answer auditors' questions, that's a sign you don't have your act together," says Michael Rasmussen, principal analyst in Forrester Research's security research group. "If you don't have a well-documented security architecture and someone who can answer questions, that's going to be a red flag that something requires further investigation."

Seeing Security Through a Business Lens

From an IT security point of view, the first aspect of demonstrating regulatory compliance is documenting existing security policies and controls, seeing how those mesh with regulatory requirements, and making changes where necessary. Companies can take a high-level view, using the ISO 17799, CobiT or COSO security standards as a framework, but that won't get them all the way there, says Amy Ray, trustee professor of computer information systems at Bentley College in Waltham, Mass. "A high-level centralized security policy doesn't work well because systems are decentralized, and information sharing is happening outside the network," Ray says. "Much of the new legislation, including HIPAA [and the Gramm-Leach-Bliley Act], is driven by problems associated with external information sharing. This is a new phenomenon."

In some ways, going through this definition stage is the ultimate exercise in IT-business alignment. It's imperative that IT avoid talk of packet sniffers and buffer overflows, analysts say. "A lot of the process of documenting compliance means identifying where information is in the enterprise, what systems and business processes interact with it, and what controls are in place," Rasmussen says. "In trying to hit the technical [side of compliance], you have to go through the business lens." Ray concurs: "The onus is on security officers to speak the language of business."

Translating Policy Into Technology

After companies have defined security policies and procedures that meet the regulatory requirements, and have identified critical assets and business processes, the next step is to ensure that the appropriate technology is in place to protect those assets. Organizations that have focused their security efforts primarily on the perimeter -- building good fences, so to speak, to thwart external attacks -- will need to broaden their focus to police activities on internal networks and applications. "Most organizations have adequately addressed security around the perimeter, but the heart of the regulations is around specific data at the core of our networks and systems," Rasmussen says.

In response to regulatory compliance and audit demands, Gartner's Nicolett says he has seen an increase in client activity in two areas: User administration and access controls, and monitoring for lapses in user administration and access controls. Password management, identity management, and access-control software are garnering attention, as is software that monitors system and application logs for administrative changes and resource access.

Some organizations may not need to buy new technologies to comply with regulations. "It's more about documenting or more effectively managing what you have," Rasmussen says. If a company has role-based access control deployed in one part of the organization, for example, it should use that capability in another part. Rasmussen has seen companies roll out intrusion detection systems and then neglect to have anyone monitor them. "Intrusion detection doesn't make much sense if you're not going to have analysis behind it," he says. Many companies could also do a better job of making sure that new operating systems and applications are securely configured when they are installed, and have patches added when new vulnerabilities are exposed, he says.

Checking Compliance

When auditors come knocking, it isn't enough for a company to just show its policies of how it will comply with regulations, and then tell them about its identity and access control management practices. Auditors are looking for a process to monitor problems -- and a process to fix them. Security information management systems, which aggregate log data from security devices, network devices and applications, can help companies show that they can find lapses in compliance. Such products also offer real-time event management, as well as security analytics and reporting.

One cautionary note: Auditors' requirements for monitoring will probably get more specific, according to one expert, as they learn more about what types of technology-fueled capabilities companies can deliver.

Security Slip-ups: What's at Stake

HIPAA, SOX, European data privacy laws and opt-in email laws, among other regulations, all have penalties attached to them for noncompliance. For example, in Italy, commercial spamming has become a crime punishable by fines of up to 90,000 euros and jail time. U.S. regulators have shown that they are not afraid to go after companies on security-related violations. In April 2004, after the Federal Trade Commission alleged that a security flaw on TowerRecords.com exposed customers' personal information, violating federal law and the Website's privacy policy, Tower Direct signed a consent decree agreeing to have its Website security audited by an outside firm every two years for the next decade. Just over a week later, in response to the New York Attorney General's office investigation of a vulnerability on BarnesandNoble.com that could permit unauthorized access to customer accounts, the online bookseller agreed to establish an information security effort, set up programs for management oversight and employee training, hire an external auditor, and pay additional costs and penalties.

Even in the face of these cautionary tales, some companies may be tempted to do the minimal amount of work possible to comply with regulations. But experts say companies would be better served by taking a proactive approach. "Minimal compliance with legislation is not a strategic investment," says Bentley's Ray. "The challenge for security personnel in all companies is to demonstrate how security investments can yield return through reduction of financial risk, maintenance of customer confidence or other business metrics. But it is going to require a shift in thinking for those security officers, as well as some extra work to develop and monitor metrics on return on security investment."